Ask Your Question
0

How can I add flow properly, using MD-SAL

asked 2015-01-14 04:13:46 -0700

bsvTag gravatar image

updated 2015-01-14 04:14:14 -0700

Hi, My environment consists of Openstack(devstack version) with Opendaylight as a switch controller. I have two instances, running in openstack. I'm trying to add flow using MD-SAL, which blocks any communication on a specific port between openstack instances. I follow EndtoEndFlow wiki guide and flow-node-inventory spec, and try to add flow using Postman as follows:

PUT /restconf/config/opendaylight-inventory:nodes/node/openflow:257989387785286/table/0/flow/block5000 HTTP/1.1
Accept: application/xml
Content-Type: application/xml
Authorization: Basic YWRtaW46YWRtaW4=
Cache-Control: no-cache

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<flow xmlns="urn:opendaylight:flow:inventory">
  <priority>2</priority>
  <flow-name>block5000</flow-name>
  <match>
     <in-port>5000</in-port>
  </match>
  <id>block5000</id>
  <table_id>0</table_id>
  <instructions>
    <instruction>
        <order>0</order>
        <apply-actions>
            <action>
               <order>0</order>
               <drop-action/>
            </action>
        </apply-actions>
    </instruction>
  </instructions>
</flow>

However, this flow doesn't block traffic between openstack running instances(I'm using netcat to emulate traffic activity between instances) When I issue GET request:

 GET /restconf/config/opendaylight-inventory:nodes/node/openflow:257989387785286/table/0/ 
 HTTP/1.1
 Accept: application/xml
 Content-Type: application/xml
 Authorization: Basic YWRtaW46YWRtaW4=
 Cache-Control: no-cache

I can see my flow. But I'm not able to get statistics for my flow using /restconf/operational/opendaylight-inventory:nodes/node/openflow:1/table/0/ URL. Can anybody point me the problem with my flow and find out the way to get its stats? Thanks.

edit retag flag offensive close merge delete

Comments

Where do you see your flow?

Chris O'Shea ( 2015-01-14 08:48:33 -0700 )edit

Chris, when I call GET /restconf/config/opendaylight-inventory:nodes/node/openflow:257989387785286/table/0/ I can see a list of flows, including my flow.

bsvTag ( 2015-01-14 08:55:06 -0700 )edit

That only shows the flow was accepted into the datastore. can you check on the OpenFlow switch to see if the switch accepted the flow?

Chris O'Shea ( 2015-01-14 08:59:11 -0700 )edit

Chris, I found out, that flow, added via MD-SAL is not accepted by switch. However, I checked AD-SAL flow API, and it looks like it's accepted, however, flow stats are zero.

bsvTag ( 2015-01-14 09:24:51 -0700 )edit

here it is: cookie=0x0, duration=2134.231s, table=0, n_packets=0, n_bytes=0, send_flow_rem priority=32535,tcp,in_port=3,tp_dst=5000 actions=drop

bsvTag ( 2015-01-14 09:25:10 -0700 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2015-01-14 12:56:27 -0700

Moderators

Hi,

Just looking at your comment with the flow output i see you're matching the TCP Destination port of 5000, where in the XML flow you posted you are matching the In port 5000 (Which port the traffic came in on) this will also explain why the switch reject it, if it doesn't have an OpenFlow port with the ID of 50.

Below is what i believe should be the flow

PUT /restconf/config/opendaylight-inventory:nodes/node/openflow:257989387785286/table/0/flow/block5000 HTTP/1.1
Accept: application/xml
Content-Type: application/xml
Authorization: Basic YWRtaW46YWRtaW4=
Cache-Control: no-cache

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<flow xmlns="urn:opendaylight:flow:inventory">
  <priority>32535</priority>
  <flow-name>block5000</flow-name>
  <match>
     <tcp-destination-port>5000</tcp-destination-port>
     <in-port>3</in-port>
  </match>
  <id>block5000</id>
  <table_id>0</table_id>
  <instructions>
    <instruction>
        <order>0</order>
        <apply-actions>
            <action>
               <order>0</order>
               <drop-action/>
            </action>
        </apply-actions>
    </instruction>
  </instructions>
</flow>
edit flag offensive delete publish link more

Comments

Chris, I found it also, and fixed it. However, I noticed that port level filtering is not working. Only when I set ipv4-destination , I can block traffic between instances. I'm looking now, what's the problem with port filtering.

bsvTag ( 2015-01-15 23:43:00 -0700 )edit

port as in TCP/UDP port or as in switchport? It maybe useful to capture the error message from the switch if it reject the flow, right now ODL doesn't have a nice way to do it. so TCPdump/Wireshark and also may look at the switch's log file.

Chris O'Shea ( 2015-01-16 09:42:58 -0700 )edit

I mean tcp-destination-port, not switch port. I can see the installed flow in the switch using 'ovs-ofctl dump-flows' command. However, filter only by destination port doesn't block traffic. I'll do tcpdump/wireshark research soon to find out the reason. May be I'm missing something. Thanks anyways!

bsvTag ( 2015-01-16 12:19:03 -0700 )edit
0

answered 2017-04-03 08:18:48 -0700

dmolavi gravatar image

Hate to dredge up an old topic, but I'm running into the same problem. I define my flow, with a src/dst IP pair, IP protocol 6, dest tcp port 80, with a 'drop' action. The flow is in both config and operational, with a priority of 32768, but is not matched and the traffic isn't blocked.

were you able to get this resolved, and if so, how?

edit flag offensive delete publish link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Question Tools

Follow
3 followers

Stats

Asked: 2015-01-14 04:13:46 -0700

Seen: 637 times

Last updated: Apr 03